DNS Hijacking – KL Tech Meet-up - May 2015 Abhishek Dujari, Technical Project Manager (adujari@akamai.com)

What is DNS Hijacking Some terms to remember: DNS – Domain Name System Domain Name Registry - Centralized record of Domain names and owners Designated Registrar or Registrar – Where you register the domains DNS Hosting Provider Authoritative DNS and Recursive DNS ICANN Registry Registrar Owner

How DNS Works Secondary DNS Primary DNS User Upload zone data from customer-managed master using zone transfer agents Master ZTA Let’s take a look at how Fast DNS works. Fast DNS can be configured as either a primary or a secondary DNS service. Let’s take a look at how it works as a secondary DNS service first. Basically, you maintain zone data on your master name server, and Fast DNS zone transfer agents (ZTA) perform zone transfer requests to get that zone data and push it out to Fast DNS name servers. [CLICK] With a primary DNS, you upload zone data through either the Luna Control Center or Akamai’s {OPEN} API. The zone transfer agent will push out your zone data to the Fast DNS name servers and provide you a list of name servers (typically six) that you can register with your domain registrar. [CLICK] Regardless of whether it’s deployed as a primary or secondary DNS service, when a user performs a DNS lookup request or your site, www.example.com, his/her local name server will query the root name servers, which will redirect the request to the .com name servers, which will redirect the request to Fast DNS which will resolve the request and return the IP address of your site. www.example.com? IP or CNAME a2.-123.akam.net a3.-123.akam.net www.example.com? Zone transfer request a1.-123.akam.net IP or CNAME Zone data Local Name server a4.-123.akam.net a6.-123.akam.net Domain registrar a1-123.akam.net a2-123.akam.net a3-123.akam.net a4-123.akam.net a5-123.akam.net a6-123.akam.net Primary DNS Upload zone data through Luna Control Center or {OPEN} API and register Akamai name servers with domain registrar ZTA a5.-123.akam.net Zone data Validation

DNS Hijacking in the news

Get the Tech Walkthrough of a planned DNS hijack Impact of the DNS Hijack Uncovering a DNS Hijack and recovery Prevention

How it all happens. Phase 1. Hacktivists collaborate over IRC or Social Media selecting multiple targets. Criminal rings develop plans for Ransom

Phase 2 . Preparation Targeted organization domains are “looked up” whois query returns the Admin contact details. Phish Domain is registered along with SSL certificate e.g. StartSSL. Malicious domains are hosted on Free hosting, Free CDN or compromised hosts and proxies. www.example-phish.com/fake- pages.html Set up “Catch-all” Email address mailbox for target domains *@example.com Phishing Emails is crafted with cloaked URL (demo blacksquirrel.io, https://github.com/pentestgeek/phishing-frenzy) Emails are sent to targets. Now they wait!

Phase 3 : Bait and wait. Some emails are opened and malicious URLs clicked. Once the password is received or Remote Access Tool is active, the Hacker is in business. Social Engineering at its best!

OpSec! Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information. Attackers avoid using payment information at all costs as it can be traced. Think free CDN, free SSL and free hosting!

Phase 4: OpSec Login to Victim’s email account Look for any other Sign up emails. Perhaps the domain registrar? Try the email/username and password on the registrar, web hosting and CDN accounts. If password does not work send a password reset email to victims email account. Look for other OpSec opportunities.

Phase 5: Exploit! Access the Registrar portal Change DNS servers to point to other 3rd party Name Servers under hacker’s control Change MX and A records to point to own mail servers. Both SMTP and POP/IMAP can replaced. OR Access the CDN portal and change Origin IP to point to Cloaked Hosting URL

How compromised DNS Works User Let’s take a look at how Fast DNS works. Fast DNS can be configured as either a primary or a secondary DNS service. Let’s take a look at how it works as a secondary DNS service first. Basically, you maintain zone data on your master name server, and Fast DNS zone transfer agents (ZTA) perform zone transfer requests to get that zone data and push it out to Fast DNS name servers. [CLICK] With a primary DNS, you upload zone data through either the Luna Control Center or Akamai’s {OPEN} API. The zone transfer agent will push out your zone data to the Fast DNS name servers and provide you a list of name servers (typically six) that you can register with your domain registrar. [CLICK] Regardless of whether it’s deployed as a primary or secondary DNS service, when a user performs a DNS lookup request or your site, www.example.com, his/her local name server will query the root name servers, which will redirect the request to the .com name servers, which will redirect the request to Fast DNS which will resolve the request and return the IP address of your site. Attackers website www.example.com? IP or CNAME a3.-123.akam.net www.example.com? a1.-123.akam.net ns.sara-ns.com IP or CNAME Local Name server a4.-123.akam.net a6.-123.akam.net a5.-123.akam.net Domain registrar Ns.Sara-ns.com Ns.Todd-ns.com

Anything is possible! Sky is the limit. Impact All emails sent and received are going to the attackers mail server. They are reading everything. The website is showing a different page. Owned by attackers. They are able to collect Logged in user’s web sessions! (how?) They can still access your site by spoofing and inserting stolen web sessions to steal customer data. They can even access VPN if there is no client certificate. They are still able to send password reset emails to victims email account and take over Social Media accounts. OpSec – Network Pivoting, exfiltration, Command and Control. Anything is possible! Sky is the limit.

How to spot a DNS Hijack DIG for it. Use multiple remote locations See where the compromise has happened. Follow the request process. Registrar! DNS CDN Web Hosting

Recover from the HiJack – time is running out! Contact the 3rd party providers immediately to restore the correct records. Shut down your web server. Invalidate all sessions. Shut down email access/servers. Any other services on the same DNS? Sessions? Use a secondary non-public domain name as recovery email address. Rotate all passwords including VPN. Sessions? Notify the public, staff and vendors clearly on what has happened to avoid further Data theft and breaches. Anyone possibly affected should be made aware. It can take 24-48 Hours to restore correct DNS records. Use IP addresses to connect to services until restoration is complete Take No RISK!. Assume all accounts are compromised.

Recovery contd… Start to OpSec: Look for any 3rd party services that are unclassified and could have been compromised. Take necessary action to lock them down. Ensure you have full DNS control & email is secure before you start rotating passwords and enabling services. (48 hours)

Prevention Whois Lookup ICANN Registry Registrar Owner • serverDeleteProhibited • serverUpdateProhibited • serverTransferProhibited clientDeleteProhibited clientUpdateProhibited clientTransferProhibited Whois is public information. Email addresses listed should not be used for account creation

Prevention tips Whois Privacy. DNS monitoring. SOC is important. VPN for email access VPN must use Client Certificates that can be revoked Use an unadvertised domain name for creating 3rd party Accounts Select a Good registrar that allows Server* locks. 2FA/MFA, 2FA , 2FA ….. Access e.g. Akamai Luna portal Practice good OpSec. Audit all 3rd party accounts. Ensure no users exist which are not needed in any system. Like Registrar, Luna portal etc. Use SSO where possible. Akamai Luna portal supports SSO.

Educate and Inform Conduct regular Security exercises with your End users. Educate end users on identifying Scam/Phishing emails. Resources https://blogs.akamai.com/